• Category: Security
  • Status: confirmed
  • Sources: DepthFirst research, HN discussion
  • Summary: DepthFirst reports its autonomous security agent found 21 previously unknown vulnerabilities in FFmpeg at a cost of about $1,000, spanning the TS demuxer, VP9 decoder, swscale, RTP depacketizers, DASH demuxer, RTSP server, RTMP client, and the option parser. Nine carry CVE identifiers (CVE-2026-39210 through CVE-2026-39218); the remainder are fixed upstream and awaiting numbers. The most severe, DFVULN-127, is a heap buffer overflow in the AV1 RTP depacketizer where a single 183-byte packet over a network-reachable RTSP stream can redirect execution to an unauthenticated RCE primitive. Several bugs had been latent for 15 to 20 years.
  • Comments: HN discussion separated genuine memory-safety findings from agent-volume noise and debated maintainer burden from AI-generated reports against FFmpeg.
  • Why it matters: FFmpeg is embedded across media pipelines and browsers, so network-reachable RTP and RTSP overflows are broadly exposed, and the result shows agent-driven bug finding is now cheap enough to scale.
  • Follow-up: Track CVE assignment for the remaining 12 findings and downstream re-vendoring of patched FFmpeg.

Send feedback on this story